Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c24abaa209271f4…

MALICIOUS

PDF

44.4 KB Authoring application: Soda PDF
MD5: 385a2a8dbe3e8ebd36357c91d3083bbf SHA-1: 6eb34db3099367bb2583896218afcf9edf5a5338 SHA-256: 0c24abaa209271f400bf534125aa810da245e3d79895c70acfd8475f0eaf1e14
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a "link farm", suggesting a phishing or malware distribution attempt. The document body, though partially corrupted, mentions an "alternative android file transfer app" and includes multiple URLs that likely lead to malicious content. The ClamAV detection and ML classifier further support the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rcaleel.com/uploads/1/3/0/2/130289242/sawizuji.pdf
    • http://mnbaby590988.org/uploads/1/3/0/5/130546391/rosum.pdf
    • http://circulosmatematicos.weebly.com/uploads/1/3/0/4/130435609/1920945.pdf
    • http://davidgarson.com/uploads/1/3/0/6/130605475/faxemejibake.pdf
    • http://truedefensepdr.com/uploads/1/3/0/4/130483302/kegegafa.pdf
    • http://bbt.network/uploads/1/3/0/6/130605164/5780697.pdf
    • https://ravexiberoder.weebly.com/uploads/1/3/0/5/130550772/4996496.pdf
    • http://muttsociety.com/uploads/1/3/0/5/130588500/da84c441871a.pdf
    • http://nolaninc.net/uploads/1/3/0/4/130435573/gulut-kegapo-betejototi.pdf
    • http://8200doral.com/uploads/1/3/0/2/130272610/a10a0ca.pdf
    • http://davidmarquesibanez.com/uploads/1/3/0/5/130590658/130590658.html#alternative+android+file+transfer+app
    • http://fontawesome.iohttp://fontawesome.io/license/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001279.bin
0fe873ebffb2d0afa232cb91666d7a365a5255b710428f4080928bea62bd567d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1279 9132 bytes
font_01_sfnt_off00005c35.bin
bf9f5eef45e7451483c1859b967753b5c44c1f4fa7b497dc285ce4025d129f63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C35 16872 bytes
font_02_sfnt_off00007378.bin
e06a1af43329ced8437d62c03e71820c36c76624ac4d947124b9177a3ba6bf46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7378 1740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.